Encryption Management Server encrypts email to an incorrect External User key

book

Article ID: 170465

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

If an administrator manually adds the key for an External User using the administration console but at a later date the external user starts using a new key, Encryption Management Server will continue to encrypt outbound mail to the old key and the external user may no longer be able to decrypt it.

Cause

This is by design.

Environment

Encryption Management Server 3.3 and above.

Resolution

Web Email Protection not Enabled

If Web Email Protection is not enabled, the administrator will need to import the new public key of the external user:

  1. From the the Keys / Managed Keys page of the administration console, click on the Add Managed Keys button and then choose External Users.
  2. From the Add External Users pop up, click on the Import Keys button.
  3. Choose either Import Key File and browse to a file containing the public key or choose Import Key Block to paste the public key from the clipboard; the text to paste will start with BEGIN PGP PUBLIC KEY BLOCK.
  4. Click the Import button to import the key.

Note that if an external user account contains more than one valid key, Encryption Management Server will attempt to encrypt messages to all of the keys. Therefore, to avoid unnecessary processing, if the external user's key has changed permanently, their previous keys should be deleted:

  1. From the Consumers / Users / External Users page of the administration console, find the external user and click on their email address.
  2. From the Managed Keys section, delete any of the external user's keys that are no longer required by clicking on the Delete Key button next to the key.

Web Email Protection Enabled

If Web Email Protection is enabled, an external user can upload their public key themselves using the Web Email Protection portal.

If an administrator created the external user initially by uploading their public key using the administration console, the external user may have never logged into the Web Email Protection portal before but they can still use the portal to update their key.

Web Email Protection users need to be given permission to upload their own keys. This is configured by enabling the option Import OpenPGP Key or digital ID/X.509 Certificate for S/MIME under the Web Email Protection section of their Policy. By default, Web Email Protection users are in the Default Policy.

Once this setting is in place, the following steps need to be carried out by the external user.

For a user who has never logged onto the portal or who has forgotten their passphrase

  1. Browse to the Web Email Protection portal.
  2. Click on the link I lost my passphrase.
  3. Enter email address.
  4. Wait for an email message with the Subject Symantec Encryption Server Passphrase Reset.
  5. Click on the reset passphrase URL in the body of the message.
  6. Enter a passphrase for the Web Email Protection account, then repeat the passphrase.
  7. The Secure Messaging Settings page will be loaded. This will show the current primary key that is being used to encrypt messages.
  8. Click on the Choose Option button to load the Please Enter Your Public Key page.
  9. Select either Import Key File to browse to a file containing the public key or select Import Key Block to paste the key from the clipboard; the text to paste will start with BEGIN PGP PUBLIC KEY BLOCK.
  10. Click the Continue button to upload the public key.
  11. The PGP Key Uploaded page will appear showing the new key details.
  12. Click the Logout button to log out of Web Email Protection.

For a user who can remember their passphrase and can log into the portal

  1. Logon to the portal. The Secure Messaging Settings page will be loaded. This will show the current primary key that is being used to encrypt messages.
  2. Click on the Choose Option button to load the Please Enter Your Public Key page.
  3. Select either Import Key File to browse to a file containing the public key or select Import Key Block to paste the key from the clipboard.
  4. Click the Continue button to upload the public key.
  5. The PGP Key Uploaded page will appear showing the new key details.
  6. Click the Logout button to log out of Web Email Protection.

For a user who is currently reading messages directly on the portal and wishes to use a key instead

  1. Logon to the portal. The Inbox will be shown.
  2. Click the Settings link from the top right of the page. This will load the Secure Messaging Settings page.
  3. Select Key or digital ID/certificate from the list of options.
  4. Click on the Choose Option button to load the Please Enter Your Public Key page.
  5. Select either Import Key File to browse to a file containing the public key or select Import Key Block to paste the key from the clipboard.
  6. Click the Continue button to upload the public key.
  7. The PGP Key Uploaded page will appear showing the new key details.
  8. Click the Logout button to log out of Web Email Protection.